Gervase Markham <gerv@mozilla.org> wrote:
What someone posted a day ago about "/" homograph attacks has meant
that one thing we plan to do is have a short number of characters
which are completely forbidden in IDN domains at any level - in that,
mozilla.org products would refuse to recognise IDNs containing them.
Please think twice before creating a precedent of a browser completely
blackholing a technically valid (albeit devious) site. I think it
would
be sufficient, security-wise, for the browser to inhibit the display of
domain names believed to be misleading, and to display them in ASCII
form instead, but still allow access to the site.
My initial list includes the homographs of ":", ".", "/" and probably
"\" too, plus all the space characters.
I imagine you'd want all the characters that could immediately follow
the host name in a URI, so add "?" and "#" to that list.
But how well do average users know URI syntax anyway? What would they
think of:
http://foo.com&bar.baz.xx
http://foo.com~bar.baz.xx
http://foo.com|bar.baz.xx
Maybe we either need to ban all punctuation (as in my proposal about
internationalized host names), or always make the boundaries of the
domain name apparent to the user (using color or highlighting or
underlining or something).
P.S. Of course, the slash homograph attack wouldn't fool the Firefox
SSL domain security indicator anyway, which would still display the
entire domain, fake slashes and all.
Yes, but do users understand what that indicator means? If they see
foo.com/bar.baz.xx in the indicator, do they understand that it is
unrelated to foo.com?
AMC